Watchdog releases own version of data regulation

The European data protection supervisor, Giovanni Buttarelli, has taken the unprecedented step of publishing his own draft of the European Union’s new general data protection regulation.

The rules will be negotiated in the coming months behind closed doors by the European Parliament, European Commission and the Council of the EU. If finalized by year-end, the regulation could come into force in 2018.

Buttarelli only has an advisory role in this process, however, he released a fourth text on Monday that synthesizes the other three, picking and choosing his favorite proposals.

Buttarelli’s version sides with Parliament, for example, on new privacy rules covering the processing and monitoring of personal data for EU-related activities, even when it takes place outside the bloc.

Council disagrees, saying the regulation should not apply outside European borders.

“We are living in a society where the location of the servers and the establishment of companies cannot be the relevant point,” Buttarelli said in an interview.

The watchdog’s preferred version of the regulation would also strike out a clause, favored by the Council, that would allow data collected for one purpose to be used for another, if the reasons for doing so “override” the interests of the data subject.

“This is one point where we think there is no space for reducing existing safeguards,” Buttarelli. “We fully endorse both Commission and Parliament.”

He noted his version still allows for public authorities to use personal data for public health and research purposes.

Buttarelli also backs Parliament’s proposed maximum fines for non-compliance of five percent of a company’s annual sales. Council wants a two percent maximum penalty.

At the same time, Buttarelli supported Council’s position on several points, including a three-day window for companies to notify regulators of data breaches, rather than the 24 hours favored by the other institutions.

“We should focus on something which is feasible and prevent an outcome where data protection authorities are bombarded on a daily basis by an unbelievable number of notifications they cannot handle,” he said.

Buttarelli said his intervention was intended to provide transparency and brevity.

His version, which totals about 20,000 words, is roughly 30 percent shorter than the other three. The watchdog has also released a mobile app, available for Android and iOS devices, that makes it easier to compare the four texts clause-by-clause.

One member of a parliamentary negotiating team told POLITICO that it was “really weird” for the European data protection supervisor to publish his own preferred text, since he is not a co-legislator.

Not at all, said Buttarelli: “We have been appointed to be proactive and to provide solutions. Before launching this initiative, we mentioned this before all relevant institutions, and I got full encouragement.”